+|[Microsoft browser usage](browser-usage-report.md)|Yes|No¹|No¹|No¹|No¹|

+|[Microsoft 365 Apps usage](microsoft365-apps-usage-ww.md)|Yes|Yes|No¹|No¹|Yes

+|[Microsoft Teams user activity](microsoft-teams-user-activity-preview.md)|Yes|Yes|Yes|Yes|N/A²|

+|[Microsoft Teams device usage](microsoft-teams-device-usage-preview.md)|Yes|Yes|Yes|Yes|N/A²|

+|[Microsoft Teams usage activity](microsoft-teams-usage-activity.md)|Yes|Yes|Yes|Yes|N/A²|

+|[Yammer activity](yammer-activity-report-ww.md)|Yes|Yes|N/A²|N/A²|N/A²|

+|[Yammer device usage](yammer-device-usage-report-ww.md)|Yes|Yes|N/A²|N/A²|N/A²|

+|[Yammer groups activity report](yammer-groups-activity-report-ww.md)|Yes|Yes|N/A²|N/A²|N/A²|

+|[Forms activity](forms-activity-ww.md)|Yes|Yes|No¹|No¹|No¹|

+|[Dynamics 365 Customer Voice activity](forms-pro-activity-ww.md)|Yes|Yes|N/A²|N/A²|N/A²|

+|[Skype for Business Online activity](/SkypeForBusiness/skype-for-business-online-reporting/activity-report)|Yes|Yes|No¹|No¹|Yes|

+|[Skype for Business Online conference organized activity](/SkypeForBusiness/skype-for-business-online-reporting/conference-organizer-activity-report)|Yes|Yes|No¹|No¹|Yes|

+|[Skype for Business Online conference participant activity](/SkypeForBusiness/skype-for-business-online-reporting/conference-participant-activity-report)|Yes|Yes|No¹|No¹|Yes|

+|[Skype for Business Online peer-to-peer activity](/SkypeForBusiness/skype-for-business-online-reporting/peer-to-peer-activity-report)|Yes|Yes|No¹|No¹|Yes|

+N/A¹: The report is in plan to be released in the future. The <a href="https://www.microsoft.com/en-us/microsoft-365/roadmap?filters=" target="_blank">Microsoft 365 Roadmap</a> will be updated before the release.

+N/A²: The service is not available in the environment so no plan to release the report.

+If more than seven days have passed, [turn off recurring billing](renew-your-subscription.md). This prevents your subscription from renewing at the end of its term. You keep access to your products and services for the remainder of your subscription. If you have an annual subscription and are paying monthly, you are charged each month for the remainder of your subscription term.

+A Microsoft representative drafts a proposal that contains the items that you and your representative discussed. The representative sends you an email that has a link to the Azure marketplace portal. The site contains the proposal prepared specifically for you and your organization.

+After you receive the notification email, follow the link to the proposal site. After you sign in to the site, you can start the proposal review process.

+You must be a billing account owner or billing account contributor to successfully sign an agreement or buy products and services. If youΓÇÖre a Global admin but donΓÇÖt have one of those roles, you can assign the roles to yourself. If youΓÇÖre not a Global admin, ask your Global admin or billing account owner to assign one of the roles to you.

+The billing account owner and billing account contributor roles are assigned by using either of the following methods.

+### Assign roles in the Microsoft 365 admin center

+1. In the Microsoft 365 admin center, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=2084771" target="_blank">Billing accounts</a> page.

+2. On the **Billing accounts** page, in the **Billing account roles** section, select **Assign roles**.

+3. In the **Assign roles** pane, search for the name of the person to whom you want to assign a role.

+4. Select the box for the role name you want the person to have, then select **Assign**.

+### Assign roles in the Azure portal

+1. In the Azure portal, go to the <a href="https://portal.azure.com/#blade/Microsoft_Azure_GTM/ModernBillingMenuBlade/Overview" target="_blank">Access control (IAM)</a> page.

+2. On the **Access control (IAM)** page, select **Add**.

+3. In the **Add permission** pane, select the **Role** to assign to the user.

+4. Select the user, then select **Save**.

+- Are the person named in the proposal

+ **or**

+> [!NOTE]

+> Your proposal might include subscriptions with a future start date. For more information, see [Understand invoicing for future start dates](billing-and-payments/future-start-date.md).

+ Title: "Use customer-managed keys to encrypt your organization's auditing data"

+f1.keywords:

+- NOCSH

+audience: Admin

+ms.localizationpriority: medium

+- m365-security-compliance

+search.appverid:

+- MOE150

+- MET150

+description: "Learn how to use customer-managed keys to encrypt your organization's audit records."

+# Use Customer Key to encrypt audit records

+You can now enable Microsoft Purview Customer Key encryption for audit records. Auditing builds on the [Service encryption with Microsoft Purview Customer Key](customer-key-overview.md) to encrypt your organization's auditing data. Implementing Customer Key provides extra protection by preventing unauthorized systems or Microsoft data center personnel from viewing your auditing data in the auditing pipeline and at rest. Using Customer Key to encrypt your auditing data also helps you meet regulatory or compliance obligations because your organization provides and controls the encryption keys.

+Customer Key requires a Microsoft 365 E5 subscription. For more information, see [Microsoft 365 guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#information-protection-customer-key-for-microsoft-365).

+Even if you don't use Customer Key to encrypt your audit records, data at rest in Microsoft 365 is encrypted by default.

+## Implement Customer Key for auditing

+To implement Customer Key for auditing, you have to create a multi-workload Data Encryption Policy (DEP), which defines the encryption hierarchy. This hierarchy is used by the service to encrypt your auditing data using the two root keys you manage and the availability key that's autogenerated and protected by Microsoft.

+For detailed step-by-step instructions, see [Set up Customer Key](customer-key-set-up.md).

+After you complete the setup, Microsoft 365 encrypts all data in your organization, including audit records, using the keys that are identified in the multi-workload DEP that you created.

+## Offboarding from Customer Key

+If you decide not to use Customer Key for assigning multi-workload DEPs anymore, you'll need to reach out to Microsoft support with a request to ΓÇ£offboardΓÇ¥ from Customer Key. Ask the support team to file a service request against Microsoft Purview Customer Key team. Reach out to m365-ck@service.microsoft.com if you have any questions. See [Roll back from Customer Key to Microsoft managed Keys](customer-key-manage.md#roll-back-from-customer-key-to-microsoft-managed-keys) for more information.

+Customers may no longer want to manage their own keys and may opt to offboard from CMK.

+For Auditing - we have NOT ONBOARDED to MMK. So once the tenant offboards from CMK there will be NO fallback to second level of encryption. The data will be encrypted at rest by the default Azure storage encryption.

+<!--

+Steps:

+- Customer reaches out to MDEPS team to offboard from CMK.

+- MDEPS team offboards the customer and marks their DEPs as disabled -

+- New data for the customer / tenant will not be encrypted

+- Existing / Older encrypted data will be decrypted using the keys associated with the DEP

+NOTE: Even after offboarding, tenant is expected to keep their pre-used encryption keys and keep the MDEPS AAD app access to the AKVs till the lifetime of their encrypted data.

+-->

+## Offboarding from Microsoft 365

+Purging a multi-workload DEP is not supported for Microsoft Purview Customer Key. The multi-workload DEP is used to encrypt data across multiple workloads across all tenant users. Purging a multi-workload DEP would result in data from across multiple workloads becoming inaccessible. If you decide to exit Microsoft Purview services altogether, then you could pursue the path of tenant deletion per the [documented process](/azure/active-directory/enterprise-users/directory-delete-howto). See how to delete a tenant in Azure Active Directory."

+<!--

+- Customer in this case wants to leave the M365 eco-system and ensure all their data is purged / deleted.

+- In case of "multi-workload" DEP - purging or deleting the DEP is NOT allowed by policy.

+- In this case the customer would revoke access to the AKV containing the CMK keys.

+The customer would proceed with the Tenant Deprovisioning process in order to fully leave the service. They may revoke keys, but not required by the process.

+- This change would be reflected in ~24 hours across ALE and MDEPS after caches have expired.

+- Ideally since customer is exiting the eco-system, no more audit events would be generated for the customer. However in case there are new audit events for the customer, then they will NOT be encrypted using CMK as customer has offboarded / revoked key access.

+-->

+## More information

+- It takes up to 24 hours after you complete the implementation steps to encrypt your organization's auditing records.

+- If your organization already has MDEPS support for other workloads (e.g. Exchange or SharePoint), you only have to enable it for multiple workloads.

+- Only audit records that are generated after Customer Key for auditing is implemented (or if your organization implemented Customer Key for multiple workloads) will be encrypted. Existing audit records aren't encrypted.

+- **Export audit records to a CSV file**. After running the Audit log search tool in the compliance portal, you can export the audit records returned by the search to a CSV file. This lets you use Microsoft Excel sort and filter on different audit record properties. You can also use Excel Power Query transform functionality to split each property in the AuditData JSON object into its own column. This lets you effectively view and compare similar data for different events. For more information, see [Export, configure, and view audit log records](export-view-audit-log-records.md).

+- Microsoft Purview Business Basic subscription

+- Microsoft Purview Apps for Business subscription

+- Microsoft Purview Enterprise E3 subscription

+- Microsoft Purview Business Premium

+- Microsoft Purview Education A3 subscription

+- Microsoft Purview Government G3 subscription

+- Microsoft Purview Government G1 subscription

+- Microsoft Purview Frontline F1 or F3 subscription, or F5 Security add-on

+ - Enabling the auditing of crucial events and then turning on the Audit (Premium)ing app/service plan for those users.

+3. Set up audit log retention policies. In addition to the default policy that retains Exchange, SharePoint, and Azure AD audit records for one year, you can create additional audit log retention policies to meet the requirements of your organization's security operations, IT, and compliance teams.

+## Encrypt audit records using Customer Key

+You can enable Customer Key encryption for audit records. Auditing builds on the [Service encryption with Customer Key](customer-key-overview.md) to encrypt sensitive information in your organization's auditing data. Implementing Customer Key provides extra protection by preventing unauthorized systems or Microsoft data center personnel from viewing your auditing data in the auditing pipeline and at rest. Using Customer Key to encrypt your auditing data also helps you meet regulatory or compliance obligations because your organization provides and controls the encryption keys.

+To implement Customer Key for auditing, you have to create a multi-workload Data Encryption Policy (DEP), which defines the encryption hierarchy. For detailed step-by-step instructions, see [Set up Customer Key](customer-key-set-up.md).

+> [!NOTE]

+> Not all audit records in your organization are encrypted. The Microsoft Purview service that generates specific audit records for activity in that service defines whether the audit record is encrypted or not.

+Training your security operations team, IT administrators, and compliance investigators team in the fundamentals for Audit (Standard) and Audit (Premium) can help your organization get started more quickly using auditing to help with your investigations. Microsoft Purview provides the following resource to help these users in your organization getting started with auditing: [Describe the eDiscovery and audit capabilities of Microsoft Purview](/learn/modules/describe-ediscovery-capabilities-of-microsoft-365).

+- Unified audit log storage

+<!--China endpoints version 2022042800-->

+<!--File generated 2022-04-29 08:00:06.8654-->

+17 | Allow<BR>Required | No | `*.auth.microsoft.cn, login.partner.microsoftonline.cn, microsoftgraph.chinacloudapi.cn`<BR>`40.72.70.0/23, 42.159.87.106/32, 42.159.92.96/32, 52.130.2.32/27, 52.130.3.64/27, 52.130.17.192/27, 52.130.18.32/27, 139.217.115.121/32, 139.217.118.25/32, 139.217.118.46/32, 139.217.118.54/32, 139.217.228.95/32, 139.217.231.198/32, 139.217.231.208/32, 139.217.231.219/32, 139.219.132.56/32, 139.219.133.182/32, 2406:e500:5500::/48` | **TCP:** 443, 80

+<!--USGovDoD endpoints version 2022042800-->

+<!--File generated 2022-04-29 08:00:04.2241-->

+13 | Allow<BR>Required | Yes | `*.auth.microsoft.us, *.gov.us.microsoftonline.com, dod-graph.microsoft.us, graph.microsoftazure.us, login.microsoftonline.us`<BR>`20.140.232.0/23, 52.126.194.0/23, 2001:489a:3500::/50` | **TCP:** 443

+<!--USGovGCCHigh endpoints version 2022042800-->

+<!--File generated 2022-04-29 08:00:05.6638-->

+13 | Allow<BR>Required | Yes | `*.auth.microsoft.us, *.gov.us.microsoftonline.com, graph.microsoft.us, graph.microsoftazure.us, login.microsoftonline.us`<BR>`20.140.232.0/23, 52.126.194.0/23, 2001:489a:3500::/50` | **TCP:** 443

+<!--Worldwide endpoints version 2022042800-->

+<!--File generated 2022-04-29 08:00:02.4595-->

+ | -- | | | -

+56 | Allow<BR>Required | Yes | `*.auth.microsoft.com, *.msftidentity.com, *.msidentity.com, account.activedirectory.windowsazure.com, accounts.accesscontrol.windows.net, adminwebservice.microsoftonline.com, api.passwordreset.microsoftonline.com, autologon.microsoftazuread-sso.com, becws.microsoftonline.com, ccs.login.microsoftonline.com, clientconfig.microsoftonline-p.net, companymanager.microsoftonline.com, device.login.microsoftonline.com, graph.microsoft.com, graph.windows.net, login.microsoft.com, login.microsoftonline.com, login.microsoftonline-p.com, login.windows.net, logincert.microsoftonline.com, loginex.microsoftonline.com, login-us.microsoftonline.com, nexus.microsoftonline-p.com, passwordreset.microsoftonline.com, provisioningapi.microsoftonline.com`<BR>`20.190.128.0/18, 40.126.0.0/18, 2603:1006:2000::/48, 2603:1007:200::/48, 2603:1016:1400::/48, 2603:1017::/48, 2603:1026:3000::/48, 2603:1027:1::/48, 2603:1036:3000::/48, 2603:1037:1::/48, 2603:1046:2000::/48, 2603:1047:1::/48, 2603:1056:2000::/48, 2603:1057:2::/48` | **TCP:** 443, 80

+64 | Allow<BR>Required | Yes | `*.compliance.microsoft.com, *.protection.office.com, *.security.microsoft.com, compliance.microsoft.com, defender.microsoft.com, protection.office.com, security.microsoft.com`<BR>`52.108.0.0/14, 2603:1006:1400::/40, 2603:1016:2400::/40, 2603:1026:2400::/40, 2603:1036:2400::/40, 2603:1046:1400::/40, 2603:1056:1400::/40, 2a01:111:200a:a::/64, 2a01:111:2035:8::/64, 2a01:111:f406:1::/64, 2a01:111:f406:c00::/64, 2a01:111:f406:1004::/64, 2a01:111:f406:1805::/64, 2a01:111:f406:3404::/64, 2a01:111:f406:8000::/64, 2a01:111:f406:8801::/64, 2a01:111:f406:a003::/64` | **TCP:** 443

+> If organizations are configured to send user reported messages to the custom mailbox only, reported messages will appear in **User reported messages** but their results will always be empty (as they would not have been rescanned).

+- Both add-ins are not available for on-premises Exchange mailboxes.

+ :::image type="content" source="../../media/ReportMessageGETITNOW.png" alt-text="The Get It Now report message." lightbox="../../media/ReportMessageGETITNOW.png":::

+ > :::image type="content" source="../../media/OutlookReportMessageIcon.png" alt-text="The Report Message add-in icon for Outlook." lightbox="../../media/OutlookReportMessageIcon.png":::

+ > :::image type="content" source="../../media/microsoft-365-admin-center-integrated-apps.png" alt-text="The Microsoft 365 admin center Integrated apps." lightbox="../../media/microsoft-365-admin-center-integrated-apps.png":::

+2. In the **Microsoft 365 Apps** page that appears, click in the **Search** box, enter **Report Message**, and then click **Search** . In the list of results, find and select **Report Message**.

+3. The app details page opens. Select **Get It Now**.

+ > :::image type="content" source="../../media/microsoft-365-admin-center-report-message.png" alt-text="The Report Message add-in." lightbox="../../media/microsoft-365-admin-center-report-message.png":::

+4. Complete the basic profile information, and then click **Continue**.

+ > :::image type="content" source="../../media/microsoft-365-admin-center-profile-info.png" alt-text="The Report Message add-in profile setup." lightbox="../../media/microsoft-365-admin-center-profile-info.png":::

+5. The **Deploy New App** flyout opens. Configure the following settings. Click **Next** to go to the next page to complete setup.

+ > :::image type="content" source="../../media/microsoft-365-admin-center-deploy-new-app.png" alt-text="The Accept permissions requests page." lightbox="../../media/microsoft-365-admin-center-deploy-new-app.png":::

+ - **Finish deployment**: Review and finish deploying the add-in.

+ - **Deployment completed**: Select **Done** to complete the setup.

+ > :::image type="content" source="../../media/microsoft-365-admin-center-deployment-complete.png" alt-text="The notification message of the deployment completed." lightbox="../../media/microsoft-365-admin-center-deployment-complete.png":::

+ > :::image type="content" source="../../media/microsoft-365-admin-center-report-message-edit.png" alt-text="The Report Message flyout." lightbox="../../media/microsoft-365-admin-center-report-message-edit.png":::

+3. To remove the add-in, select **Remove app** under **Actions** in the same flyout.

+ > :::image type="content" source="../../media/microsoft-365-admin-center-integrated-apps.png" alt-text="The Microsoft 365 admin center Integrated apps." lightbox="../../media/microsoft-365-admin-center-integrated-apps.png":::

+2. In the **Microsoft 365 Apps** page that appears, click in the **Search** box, enter **Report Phishing**, and then click **Search** . In the list of results, find and select **Report Phishing**.

+5. The **Deploy New App** flyout opens. Follow the steps [described above](enable-the-report-message-add-in.md#get-the-report-message-add-in-for-your-organization) to complete setup.

+ > :::image type="content" source="../../media/microsoft-365-admin-center-report-phishing-edit.png" alt-text="The Report Phishing flyout." lightbox="../../media/microsoft-365-admin-center-report-phishing-edit.png":::

+3. To remove the add-in, select **Remove app** under **Actions** in the same flyout.

+> - Based on what filters determined the mail to be malicious, during mail flow, the allows are added. For example, if filters found both sender and URL to be bad, an allow will be added for each.

+> - When that entity (sender, domain, URL, file) is encountered again, all filters associated with that entity are skipped.

+> - For an email (containing this entity) during mail flow, if the rest of the filters find the email to be clean, the email will be delivered. For example, a sender allow (when authentication passes) will bypass all verdicts except malware and high confidence phishing associated with an attachment or URL.

+> - When the URL is encountered again, the URL is not sent for detonation or reputation checks and all other URL-based filters are skipped.

+> - So for an email (containing this URL), during mail flow, if the rest of the filters find the email to be clean then the email will be delivered.

+> - So for an email (containing this file), during mail flow, if the rest of the filters find the email to be clean then the email will be delivered.

+> - Spoof supports both allow and block. URL supports only block.

+|[Enable the Report Message or the Report Phishing add-ins](enable-the-report-message-add-in.md)|Works with Outlook and Outlook on the web (formerly known as Outlook Web App). <br/><br/> Depending on your subscription, messages that users reported with the add-ins are available in [the Admin Submissions portal](admin-submission.md), [Automated investigation and response (AIR) results](air-view-investigation-results.md), the [User-reported messages report](view-email-security-reports.md#user-reported-messages-report), and [Explorer](threat-explorer-views.md#email--submissions). <br/><br/> You can configure reported messages to be copied or redirected to a mailbox that you specify. For more information, see [User submissions policies](user-submission.md).

+> When you report an email entity to Microsoft, we make a copy of everything associated with the email to include it in our continual algorithm reviews. This copy includes the email content, the email headers, and related data about the email routing. Attachments in the message are also included.

+>

+> Microsoft treats your feedback as your organization's permission for us to analyze all of the previously described information and to work to fine tune the message hygiene algorithms. We hold your message in our secure audited datacenters in the USA until we delete your submission no later than 30 days after you provided it to us. Personnel at Microsoft may read your submitted message and attachments, which is normally not permitted for email in Office 365. However, your email is still treated as confidential between you and Microsoft, and we will provide your submission to any other party to read the email or its attachments for this review process.

+f1.keywords:

+search.appverid:

+ - To add and remove values from the Tenant Allow/Block List, you need to be a member of

+ - **Organization Management** or **Security Administrator** role group (**Security admin role**)

+ - **Security Operator** role group (**Tenant AllowBlockList Manager**).

+ - For read-only access to the Tenant Allow/Block List, you need to be a member of

+ > - Adding users to the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions *and* permissions for other features in Microsoft 365. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md).

+3. When you're finished, click **Add**.

+Adding a domain pair only allows or blocks the *combination* of the spoofed user *and* the sending infrastructure. It does not allow email from the spoofed user from any source, nor does it allow email from the sending infrastructure source for any spoofed user.

+For a companion guide for how to use your trial, see [Trial playbook: Microsoft Defender for Office 365](trial-playbook-defender-for-office-365.md).

+ > If organizations are configured to send user reported messages to the custom mailbox only, reported messages will appear in **User reported messages** but their results will always be empty (as they would not have been rescanned).

+f1.keywords:

+search.appverid:

+> Spoofed sender management in the Microsoft 365 Defender portal is now available only on the **Spoofing** tab in the Tenant Allow/Block List. For current procedures in the Microsoft 365 Defender portal, see [Spoof intelligence insight in EOP](learn-about-spoof-intelligence.md).

+>

+> Spoofed sender management in Exchange Online PowerShell or Standalone EOP PowerShell is in the process of being migrated exclusively to the related **\*-TenantAllowBlockListSpoofItems**, **Get-SpoofIntelligenceInsight**, and **Get-SpoofMailReport** cmdlets. For procedures using these cmdlets, see the following articles:

+>

+> - [View spoofed sender entries using PowerShell](tenant-allow-block-list.md#view-spoofed-sender-entries)

+> - [Add spoofed sender allow entries using PowerShell](manage-tenant-allows.md#add-spoofed-sender-allow-entries-using-powershell)

+> - [Add spoofed sender block entries using PowerShell](manage-tenant-blocks.md#add-spoofed-sender-block-entries)

+> - [Modify spoofed sender entries using PowerShell](modify-remove-entries-tenant-allow-block.md#modify-allow-or-block-spoofed-sender-entries-from-the-tenant-allowblock-list)

+> - [Remove spoofed sender entries using PowerShell](modify-remove-entries-tenant-allow-block.md#remove-allow-or-block-spoofed-sender-entries-from-the-tenant-allowblock-list)

+>

+> The older spoofed sender management experience using the **Get-PhishFilterPolicy** and **Set-PhishFilterPolicy** cmdlets is in the process of being deprecated, but is still presented in this article for completeness until the cmdlets are removed everywhere.

+ - To modify the spoof intelligence policy or enable or disable spoof intelligence, you need to be a member of:

+ - **Organization Management**

+ - **Security Administrator** <u>and</u> **View-Only Configuration** or **View-Only Organization Management**.

+## Use PowerShell to manage spoofed senders

+To verify that you've configured spoof intelligence with senders who are allowed and not allowed to spoof, run the following commands in PowerShell to view the senders who are allowed and not allowed to spoof: